[clamav-users] Clamd vs clamscan
Kris Deugau
kdeugau at vianet.ca
Wed Feb 10 15:22:44 UTC 2016
Gene Heskett wrote:
> But, I do wish that clamd would send me a substitute email advising that
> it has stashed a suspect incoming email into the
> mailfile /var/spool/mail/virii. I try to look that file over for FP's,
> but quickly get lost in the visual garbage because its probably a zip'd
> file.
This depends on exactly where clamdscan is being called in your mail
processing; ClamAV just does a bunch of pattern matching and returns a
result in most configurations.
On my personal server, I call Clam from the MIMEDefang milter such that
all signature-based hits get discarded sight unseen, but any hits on any
phishing or "Heuristics" tests get a header added for consideration by
SpamAssassin, precisely because of things like:
I just looked over 260kb of what clamd id'd as virii, but which in
> fact are 5 messages from my bank about a new CC they were sending me,
> and some 5 or 6 were propaganda from AARP. And 3 shipping notices
> regarding stuff I bought thru ebay. In this case, an FP rate in excess
> of 90%! That is so high that I am expunging the clamd recipe from
> my .procmailrc as the next thing I do. Only two files
> containing .zip's, were real suspects, and I do have a delete button.
I suspect those FP hits are Heuristics.Phishing.Email.SpoofedDomain
hits. A lot of organizations that should really know better tend to
trigger this with third-party mailings or promotional mailings where the
link text says "mybank.com", but the link address is "tracking.example.com".
-kgd
More information about the clamav-users
mailing list